vwr: fix heap-based buffer overflow

Commit v1.99.10rc0-316-gf28e23f added some additional room for the 16
byte PLCP header and 1 byte L1P. These are however not part of the
remaining data, only the header.

Bug: 11795
Change-Id: Ia6935d27366a07f818f147c9094a801429b049e2
Reviewed-on: https://code.wireshark.org/review/12240
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 4 insertions, 7 deletions

diff --git a/wiretap/vwr.c b/wiretap/vwr.c
index 846f0d5963..2a2107d9c0 100644
--- a/wiretap/vwr.c
+++ b/wiretap/vwr.c
@@ -1454,22 +1454,19 @@ static gboolean vwr_read_s2_s3_W_rec(vwr_t *vwr, struct wtap_pkthdr *phdr,
     }
 
     /*
+     * Fill up the per-packet header.
+     *
      * We also copy over 16 bytes of PLCP header + 1 byte of L1P for user
      * position.
      *
      * XXX - for S2, we don't have 16 bytes of PLCP header; do we have
      * the 1 byte of L1P?  The current Veriwave dissector just blindly
      * assumes there's a 17-byte blob before the 802.11 header.
-     */
-    actual_octets = actual_octets + 17;
-
-    /*
-     * Fill up the per-packet header.
      *
      * We include the length of the metadata headers in the packet lengths.
      */
-    phdr->len = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + actual_octets;
-    phdr->caplen = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + actual_octets;
+    phdr->len = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + 17 + actual_octets;
+    phdr->caplen = STATS_COMMON_FIELDS_LEN + EXT_WLAN_FIELDS_LEN + 17 + actual_octets;
 
     phdr->ts.secs   = (time_t)s_sec;
     phdr->ts.nsecs  = (int)(s_usec * 1000);